Werk #20144: Distributed monitoring: fix message broker connection breaking on remote sites
| Component | Core & setup | ||||||
| Title | Distributed monitoring: fix message broker connection breaking on remote sites | ||||||
| Date | Jun 24, 2026 | ||||||
| Level | Trivial Change | ||||||
| Class | Bug Fix | ||||||
| Compatibility | Compatible - no manual interaction needed | ||||||
| Checkmk versions & editions |
|
In distributed monitoring setups, the message broker connection from the central site to a remote site could intermittently fail with an authentication error such as:
ACCESS_REFUSED - Login was refused using authentication mechanism EXTERNAL
The cause was that locally triggered activations on a remote site -- for example the agent auto-registration background job or automatic host removal -- recomputed the message broker definitions from the remote site's own site list. A remote site does not know about the central site, so the recomputed definitions were empty and the central site's broker user was deleted, which broke the EXTERNAL (certificate) authentication used between the sites.
Remote sites no longer recompute the message broker definitions during locally triggered activations. The broker configuration is owned by the central site and distributed to the remote sites through the regular configuration synchronization, so the central site's broker user is preserved.
If, before this update, you experienced the "Access refused" issue and the piggyback hub is not working, you need to manually trigger the certificate syncing in the distributed setup page to resume the broker connection.